Public cloud security doesn't end with the cloud provider

By David Egts

Feb 20, 2018

Over the past couple of years, initiatives like Cloud First and the Federal Risk and Authorization Management Program prompted government IT leaders to give public cloud platforms a second look. Public cloud providers have invested resources to ensure that their offerings are measurably more secure than they used to be. Even so, public clouds still pose a risk for agencies operating under strict privacy, security and compliance regulations.

Despite the fact that many public cloud providers have teams dedicated to providing security at the software-as-a-service, platform-as-a-service or infrastructure-as-a-service layers, agency IT professionals must play their part too. Their own teams must take responsibility for securing the last mile -- the stretch between where the cloud provider’s responsibility ends and the agency's responsibility begins.

Agency IT teams should consider the following when reinforcing the security of their cloud environments.

SaaS: Set permissions correctly

SaaS providers are responsible for securing their applications, but it is up to federal IT professionals to set content permissions correctly. Those permissions will vary depending on the agency, and they should be regularly checked and adjusted as necessary. Many SaaS providers let administrators control user sharing permissions so they can strike their desired balance of convenience and security.

Administrators should enforce the “principle of least privilege” by configuring SaaS tools so that read and write permissions are granted only to those who need them. For example, workers who don't have a good sense of the security settings of their web-based documents can end up exposing that content to a wide world beyond their intended collaborators. Overly permissive read access privileges can give the wrong people access to sensitive information, as was the case last year when millions of Dow Jones customers’ information was compromised. Open write permissions can give malicious users an opportunity to create “fake content” that causes legitimate users to become distrustful of what was, originally, valid content.

IT administrators must set user permissions like they would for Goldilocks -- not too tight, and not too loose, but just right -- to prevent misuse of both read (leaks) and write (data corruption or tainting which can lead to distrust) permissions.

PaaS: Assess container security

Linux containers have become increasingly popular due to their convenience and promise of greater speed and flexibility, but security remains a question for many providers. IT administrators should scan and remediate container images to ensure they don’t have known security flaws or diverge from an agency’s security baselines. Ideally, they can work with development teams using DevOps techniques to automate security checking and remediation in their developers’ continuous integration and deployment pipelines. This will prevent developers from getting slowed down by manual security processes every time they want to push application updates into production.

Vendors should be required to be transparent about their container images' state of security. “Container health indexes” can help. These repositories provide daily and on-demand ratings of the security of Linux container images, enabling administrators to judge which containers are safe to use and which contain known vulnerabilities.

IaaS: Secure the platform

IaaS providers are responsible for lighting up their hardware and creating an efficient and secure virtual space for customers’ cloud virtual machines. But agency administrators must ensure that their guest operating systems are fully patched and compliant with security baselines.

Administrators should use the same management platforms and tools they employ to scan and remediate physical and virtualized infrastructure systems on their own cloud virtual machines. A common platform can eliminate the need for separate teams skilled in different management software or “swivel chair administration” between management tools. The unified tools can offer a holistic view of agencies’ security across physical systems, virtualized infrastructure or the cloud.

There are other important security measures administrators can take. They should turn off, and possibly quarantine, virtual machines no longer in use, thereby preventing an attacker from breaking into a unpatched, low-value cloud VM and then moving laterally in the cloud infrastructure to more lucrative targets. Security-Enhanced Linux can enforce access controls and security policies, and identity management lets IT professionals consolidate, minimize and audit who has administrative access to their systems. They should enforce multi-factor authentication to help ensure people are who they say they are.

Finally, IaaS environments must be automated as much as possible to reduce the potential for human error, resulting in better security. Administrators can use dashboards and remote command tools to easily monitor their automated infrastructures and quickly fix security issues.

Public cloud platforms can certainly provide great benefits, as long as federal IT administrators take some measure of responsibility and do their part to secure their environments.

About the Author

David Egts is chief technologist, North America Public Sector, Red Hat.